Server security is necessary to avoid all attack that will happen. IPS (Intrusion Prevention System) is an example of right solution for the security system. IPS can prevent an attack by using the IDS (Intrusion Detection System) and firewall features. In this paper, bro IPS on the server will be tested with some attack include DOS (Denial of Service), port scanning, and ftp brute force to ensure the IPS works well. These attack will conclude the point of security metric and we can calculate it using CVSS and VEA-bility metric with three different topologies which the value of that metric will determine how secure a system owned by a range of value 0 to 10 based on calculation involving the value of vulnerability dimension, exploitability dimension and attackability dimension. In this experiment we got 3.07 score from non-firewall topology, 5.97 score from separated server topology, and 6.8 score from separated server and firewall topology. Meanwhile we got 1.83 score for DOS attack, 0.267 score for port scanning attack and 4.27 for FTP brute force attack for CVSS value.